Updating macOS can bring back the nasty “root” security bug

The security fix was rolled back when users updated to macOS 10.13.1.

The serious and surprising root security bug in macOS High Sierra is back for some users, shortly after Apple declared it fixed. Users who had not installed macOS 10.13.1 (and thus were running a prior version of the OS when they received the security update) found that installing 10.13.1 resurfaced the bug, according to a report from Wired.

Further Reading

For these users, the security update can be installed again (in fact, it would be automatically installed at some point) after updating to the new version of the operating system. However, the bug is not fixed in that case until the user reboots the computer. Many users do not reboot their computers for days or even weeks at a time, and Apple's support documentation did not, at first, inform users that they needed to reboot. So some people may have been left vulnerable without realizing it. The documentation has been updated with the reboot step now.

The root bug allows anyone to log in or authenticate as a system administrator on systems running macOS High Sierra. In many circumstances, all they need to do is simply type in the username "root" and leave the password field blank, . The bug was so serious that it drew an uncharacteristically strong apology from Apple, which said its "customers deserve better."

After the bug got widespread attention on Twitter and in the press, Apple moved quickly to fix it with Security Update 2017-001. But some users quickly discovered that the security update broke file sharing functionality. Apple, in turn, released a new version of the security update that addressed that issue. Now, within a few days, this additional wrinkle has been discovered.

Samuel Axon
Based in Los Angeles, Samuel is the Senior Reviews Editor at Ars Technica, where he covers Apple products, display technology, internal PC hardware, and more. He is a reformed media executive who has been writing about technology for 10 years at Ars Technica, Engadget, Mashable, PC World, and many others. Emailsamuel.axon@arstechnica.com//Twitter@SamuelAxon